AI-generated · no human review · verify operationally critical claims against the linked primary source.how it works →
Storm-3138
actor
· actor:storm-3138
Microsoft Threat Intelligence designation for the actor behind the June 2026 compromise of the Klue competitive-intelligence platform, whose harvested Salesforce credentials were reused to discover, query and exfiltrate customer CRM data — reported within Microsoft's broader account of a year of ShinyHunters-tradecraft Salesforce OAuth-abuse campaigns (Microsoft Threat Intelligence, 2026-07-13).
4 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)
Initial Access TA0001
T1199Trusted Relationship×1
Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.
Adversaries may use voice communications to ultimately gain access to victim systems. Spearphishing voice is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of manipulating a user into providing access to systems through a phone call or other forms of voice communications. Spearphishing frequently involves social engineering techniques, such as posing as a trusted source (ex: Impersonation) and/or creating a sense of urgency or alarm for the recipient.
Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.
Microsoft Threat Intelligence documented a year-long (mid-2025 to mid-2026) set of campaigns using tradecraft commonly associated with ShinyHunters (registry alias UNC6240) against Salesforce-integrated environments, through three distinct paths rather than any Salesforce product vulnerability (Microsoft Threat Intelligence, 2026-07-13). First, vishing-driven OAuth-consent abuse: attackers impersonating IT support socially engineer employees through the OAuth authorization workflow into granting a malicious connected app — disguised as the legitimate Salesforce Data Loader — full API access inherited from the victim's own privileges, letting them enumerate and exfiltrate CRM data through sanctioned application access that never trips a sign-in anomaly. Second, SaaS supply-chain compromise: compromised Salesloft Drift credentials (August 2025) exposed OAuth connection secrets reused across customer tenants; a November 2025 campaign abused Gainsight-published Salesforce apps the same way; and in June 2026 an actor Microsoft tracks as Storm-3138 compromised the Klue competitive-intelligence platform and reused harvested Salesforce credentials to query and exfiltrate customer CRM data. Third, guest-access abuse: requests chained against Salesforce's Aura framework via misconfigured guest-user accounts pulled far more data than a guest session should reach (The Hacker News, 2026-07-14). Microsoft observed the activity across retail, education and manufacturing tenants and states existing authentication-focused detections gave "limited visibility" because the traffic is indistinguishable from legitimate integration.
Threat actors socially engineered employees into authorizing attacker-controlled connected apps within their Salesforce tenant.
This activity was not the result of a vulnerability inherent to Salesforce.
malicious activity often appeared indistinguishable from legitimate Salesforce usage because threat actors operated through trusted identities, approved OAuth applications, and authorized integrations.